Forum Moderators: open
====
GET /Default.asp id=0;%20update%20articles%20set%20Title='%3CMETA%20HTTP-EQUIV=Refresh%20CONTENT=0;%20URL=http://www.url.com/%3E'--¦728¦800a000d¦Type_mismatch:_'[string:__0;_update_content_s_]' 80 - 111.111.111.111! HTTP/1.0 Opera/9.01+(Windows+NT+5.1;+U;+ru)
If this is your own code, fix it the right way. You need to "escape" all input that comes from the user. This way it can't affect the SQL query.
If this is not your own code, check for a newer version, check support forums for a fix, or install a less-vulnerable alternative.
Trapping keywords can provide partial protection. It's easier to do if all your tables have a prefix. eg if all your tables begin with "tbl" then it's easy to trap "UPDATE tbl", "DELETE FROM tbl" etc.
You can also do other input sanitisation, for example with your dynamic URL default.asp?id=1 you should be checking the "id" passed is numeric - this would eliminate the sql injection you show above.
Sanitising input can only take you so far on its own. There's always the possibility of some weird, special character combination slipping through.
The only way to be (reasonably) sure is to use bound parameters via stored procedures or prepare statements. Complement this with limited db access permissions and segregated access and you'll be (reasonably) secure.
DELETE, UPDATE SELECT ETC if called in a browser?
If you Grant DELETE & UPDATE to your tables for anonomous web users then its not actually hacking, you gave them permission.
If you pull out the -- ; ' you can prevent about 75% of the comon techniques used.
